Oracle Critical Patch Update Fixes 136 Vulnerabilities

Oracle has released security fixes for 136 vulnerabilities across multiple products in its Critical Patch Update (CPU) for April 2016.

Many of the vulnerabilities addressed in the CPU are remotely exploitable, with fixes issued for Oracle’s Database Server, E-Business Suite, Sun Products, MySQL, and Java SE, among other product families.

April’s Critical Patch Update, which also addresses 22 flaws in Oracle Fusion Middleware, is the first one that uses Common Vulnerability Scoring System (CVSS) 3.0.

First introduced back in July of 2015, CVSS 3.0 takes into consideration a higher number of factors to more accurately rate the severity of a vulnerability, with grades ranging from 0 to 10.

“…I’m glad to see such changes in the scoring system, as there were many discussions about the quality of CVSS v.2.0,” said Alexander Polyakov, CTO at ERPScan, as quoted by Softpedia. “For example, vendors could rate issues discovered in their products as less critical (intentionally or unintentionally) because of some flaws in this scoring system. Now the recently updated system is more accurate and many drawbacks affecting the previous version were resolved.”

In total, seven vulnerabilities included in the CPU received a CVSS rating of 10.0. Every one of those bugs fits the pattern of being exploited in less than a month.

With that in mind, Chris Goettl, product manager with Shavlik, says sysadmins should prioritize patching some vulnerabilities over others.

“I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” he suggests, as quoted by Security Week. “I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”

For more information about the vulnerabilities addressed in Oracle’s April CPU, including how to implement the necessary patches, please click here.

News of these fixes follow close to one year after Oracle patched a Java zero-day bug and 192 other vulnerabilities in July of 2015.